CISA orders federal agencies to fix hundreds of exploited security flaws

CISA has issued this year's first binding operational directive (BOD) ordering federal civilian agencies to mitigate security vulnerabilities exploited in the wild within an aggressive timeline.

BOD 22-01 (Reducing the Significant Risk of Known Exploited Vulnerabilities) applies to both software and hardware on internet-facing and non-internet-facing federal information systems, including the ones managed by federal agencies or third parties on an agency's behalf.

The goal of this government-wide directive is to help both federal agencies and public/private sector organizations keep pace with ongoing threat activity by improving their vulnerability management practices and reducing their exposure to cyberattacks.

"BIG step forward today in protecting Federal Civilian Networks—Binding Operational Directive (BOD) 22-01 establishes timeframes for mitigation of known exploited vulnerabilities and requires improvements in vulnerability management programs," said CISA Director Jen Easterly.

"The BOD applies to federal civilian agencies; however, ALL organizations should adopt this Directive and prioritize mitigating vulnerabilities listed on our public catalog, which are being actively used to exploit public and private organizations."

Today we issued Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities: https://t.co/rFBFQyCLX5

This establishes priorities for vulnerability management & will help improve Federal Agency vulnerability management practices. pic.twitter.com/CS0hVBU4l4

— Cybersecurity and Infrastructure Security Agency (@CISAgov) November 3, 2021

Agencies ordered to patch 2021 bugs within two weeks

CISA has published a catalog of hundreds of exploited security vulnerabilities that expose government systems to significant risks if successfully abused by threat actors.

Agencies are ordered to remediate the security flaws listed in the known exploited vulnerabilities catalog according to the timelines set by CISA:

• Flaws exploited this year should be patched in the next two weeks, until November 17, 2021.
• Flaws exploited until the end of 2020 should be fixed within six months, until May 3, 2022.

Currently, the catalog includes 200 vulnerabilities identified between 2017-2020 and 90 from 2021, with CISA to regularly update it with newly discovered ones if they match the following conditions:

• The vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID.
• There is reliable evidence that the vulnerability has been actively exploited in the wild.
• There is a clear remediation action for the vulnerability, such as a vendor-provided update.

CISA also ordered federal agencies to review and update their internal vulnerability management procedures within 60 days with today's directive.

They will also have to submit quarterly reports on the patch status via CyberScope or the CDM Federal Dashboard, with a change to bi-weekly reporting for agencies that haven't migrated away from CyberScope until October 1, 2022.

"Vulnerabilities that have previously been used to exploit public and private organizations are a frequent attack vector for malicious cyber actors of all types," CISA said.

"These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents."